Optics firm hit with biggest data breach fine in French history

France Commission Nationale de l'Informatique et des Libertés (CNIL) has fined a French optics firm €250,000 for failing to protect 334,000 customers’ data – the biggest fine ever dealt to a French company.

In July 2017 Optical Center’s website had a major security hole that allowed the CNIL to access hundreds of customer invoices by typing a selection of URLs straight into a browser’s address bar – and without authorisation.

CNIL was able to access customer information including names, addresses, dates of birth, health data regarding ophthalmic correction, and in some cases, NIR numbers.

“The delegation also noted that it was possible, from the optical-center.fr domain and without prior authentication to the customer area, to export in CSV format, a sample of 2085 files,” according to documents filed onThe Journal officiel de la République française.

But that wasn’t all – on subsequent inspections, CNIL found that invoices and order forms corresponding to website orders were freely available.

The Optical Center argued that the fine was disproportionate, according to the document on The Journal officiel de la République française.

“It recalls that it did not derive any benefit from the infringement, which is in any event of relative gravity and of limited character. The company states that the breach was unintentional and that no damage appears to have been suffered by the persons concerned. In that regard, it states that it was not possible to access the customer area or to modify the invoices of the persons concerned and, secondly, to find no trace of exploitation of said data, which have also not been indexed by the search engines.”

“The company recalls that it was extremely responsive by immediately informing its provider of the data breach, which promptly proceeded to the establishment of a fix. It also recalls having cooperated with the CNIL throughout the procedure.”

This is not the first time Optical Center has been breached – in 2015 the company was fined €50,000.

Web security company High-Tech Bridge CEO Ilia Kolochenko says it’s a sad case but also good news and a strong message that firms cannot ignore cybersecurity.

"Many European medium-sized companies substantially underestimate the importance of data protection, let alone their application and website security. The world, however, changes, and so must their attitude too.”
"I think GDPR would likely impose a less severe punishment for a first incident (since GDPR enforcement). However, for repetitive ignorance and ensued data breaches, GDPR has much more freedom to impose harsh financial penalties. One should also keep in mind that victims can make civil claims for damages suffered as a result of the breach, skyrocketing the total cost of incident.”

The CNIL says that in light of the leak, internet users need to be aware of risks to their online data, which is why it made the decision public.